On Fri, 11 May 2001 [EMAIL PROTECTED] wrote:
> On Fri, 11 May 2001, Craig R. McClanahan wrote:
>
> > Tomcat 4.0-beta-4 is also subject to the "...jsp%00" bug that Marc just
> > fixed in 3.2.2 (patch will be committed in a second). However, the more
> > serious issue is the introspection one (I can hear Costin laughing at me
> > from 600 miles away :-). More on that soon.
>
> Not quite.
>
> The introspection problem is not very serious - it doesn't work if
> sandboxing is enabled ( at least from what I know - if it works then it's
> a very serious VM bug ).
>
It doesn't work if you start Tomcat 4.0 with a security manager. That's
what I'm cleaning up, because it's the right long term direction. But
we're also going to add facades for those who want to run without a
security manager installed.
> If sandboxing is not enabled - a servlet can do much worse than accessing
> internal objects - it has read access to all other applications and all
> the permisions in the world ( read to all files that tomcat can read,
> write in other application's work dir, or even change anything in most
> cases ).
>
> Of course, even with sandboxing it may be possible to find ways to get to
> the internal objects ( just look at all the applet security issues in the
> browsers ), and that would be really serious.
>
> But I couldn't find the trick yet ( and it's not that important for me
> since I also have the facades). And I'm not sure I'll laugh when someone
> finds the trick.
>
> Costin
>
>
Craig
